Will Okta Get Its Credit Back After Lapsus$ Breach? We will see

Missed a session at the Data Summit? View on demand here.

Okta’s decision not to disclose a January breach that may have impacted hundreds of customers — and the vendor’s choices about which details to share after the hacker group Lapsus$ revealed the incident — remains a matter of debate. the cybersecurity community.

That leads some to ask questions about Okta’s future, such as: How much reputation damage could this cause Okta? And will the leading identity security firm be able to make a full recovery?

Investors have already hit Okta hard, as the company’s shares have fallen 15% since the announcement of the incident. But within the security community, opinions about the potential impact on Okta’s reputation vary widely.

Jake Williams, a noted cybersecurity consultant and faculty member at IANS, wrote on Twitter today that based on Okta’s handling of the Lapsus$ incident, “I honestly don’t know how Okta is regaining the trust of corporate organizations.”

“I’m generally in the ‘incidents happen, learn from them and move on, but no heads need to roll’ camp,” Williams wrote† ‘I’m not so sure here. There seem to be MULTIPLE glitches and without full transparency? Yaks.”

Unanswered questions

The comment was the conclusion of a series of tweets in which he explored some elements of Okta’s communication choices about the incident. In particular, Williams noted the many questions that Okta, a leading provider of identity verification and management, remained unanswered about what happened.

“Disclose the timeline and process by which Okta customers would have been notified if the Lapsus$ screenshots had not been posted,” Williams said. wrote

What Okta has said is that from Jan. 16-21, Lapsus$ had access to the laptop of a customer service representative who worked for a third-party Okta support provider, Sitel. The company said 366 customers may have been affected.

However, Okta didn’t disclose the incident until Tuesday, and only then in response to Lapsus$ posting screenshots to Telegram as evidence of the breach.

Okta CSO David Bradbury appears to have pointed the finger at Sitel for the timing of the reveal. In a blog post, Bradbury said he was “extremely disappointed” at how long it took Okta to receive a report about the incident from Sitel, which had hired a cyberforensics firm to investigate. (Sitel declined to comment on that point.)

However, this message from Okta “strongly implies” that the company “was unable to investigate without Sitel’s report,” Williams wrote on Twitter.

“Given my experience in these things, I call shenanigans,” he wrote. “If Okta wants to continue this story, they need to bring receipts.”

An ‘unthinkable’ scenario?

Ultimately, Williams said, it’s “inconceivable” that Okta knew one of his servicers was compromised but “took no action in the meantime.”

Okta did not immediately respond to a request for comment today, but declined to comment Wednesday when VentureBeat asked about its decision not to disclose the incident.

Williams is far from the only one to suggest that Okta made a mistake in taking so long to disclose a breach that may have affected numerous customers.

“Which [delay in disclosure] that’s why this is bad,” Andras Cser, vice president and chief analyst for security and risk management at Forrester, said in an interview on Wednesday. “It’s not because they’ve been violated — that’s what happens. The fact is they haven’t made any kind of disclosure.”

At cybersecurity vendor Atmosec, co-founder and CTO Misha Seltzer says it’s clear to him that “Okta made a mistake by not disclosing the issue in January.”

“Engaged customers deserve to know so they can conduct their own research,” Seltzer said.

‘Too long’ to reveal?

At Tenable, a cybersecurity firm and Okta customer, CEO Amit Yoran said in a LinkedIn message on Wednesday that “two months is too long.”

In what he called an “Open Letter to Okta,” Yoran said the vendor was not only slow to publicize the incident, but also made a series of other missteps in his communications.

“When you were laughed at by LAPSUS$, you brushed off the incident and literally failed to provide any useful information to customers,” Yoran wrote. “LAPSUS$ then pointed out to you your apparent misstatements. Only then determine and admit that 2.5% (hundreds) of customer safety has been compromised. And still there are no useful details and recommendations.”

Ultimately, “trust is based on transparency and corporate social responsibility, and requires both,” he wrote. “Even Mandiant was violated [in the SolarWinds attack]† But they had the determination and ability to give as much detail as possible. And as a result, they remain one of the most trusted brands in security.”

Committed to transparency?

Still, others in the cybersecurity industry have had a different assessment of Okta’s handling of the incident and communication about it.

“Okta does exactly what a company that values ​​security and customer success should do,” said Ronen Slavin, co-founder and CTO of software supply chain security company Cycode. “They communicate quickly and transparently.”

Slavin mentioned the fact that Okta CEO Todd McKinnon responded to the Lapsus$ screenshots on Twitter in the middle of the night (1:23 am PST) on Tuesday.

“It shows that this matter was addressed at the highest possible level of the company. And it shows that the CEO was immediately involved and wanted to provide transparency personally,” said Slavin.

Okta also made it clear that “they believed this was an isolated incident and there was nothing to disclose,” he said.

“For them to believe that their service has not been breached, and yet realize that 366 customers could be affected, is exactly the kind of transparency that all software companies should strive for,” Slavin said. “If Okta wasn’t committed to being transparent, why would they recognize the possibility of 366 customers being breached?”

So, when asked whether Okta could harm its reputation in the longer term, Slavin said he doesn’t believe it would be justified.

“I hope not,” he said. “Okta has a strong track record of transparency, with incidents dating back to Heartbleed and AWS outages. So Okta has earned the credibility for us to believe that they are transparent. †

Long term effect

Cser also said that despite some criticism of the incident, he does not believe the incident will have a lasting effect on Okta’s reputation.

“I don’t think it will harm them in the long run,” he said. “They will probably spend a lot of money on analytics, instrumentation and eventually get better security. I think they will only come out stronger.”

Demi Ben-Ari, co-founder and CTO at third-party security management firm Panorays, said it’s hard to say at this point what the reputational damage could be for Okta.

“Many major security companies have been hacked and with no lasting impact in the aftermath,” he said. “The key is to see how that company handles their responsibility to customers.”

Okta, for its part, has emphasized that the potential impact on customers was limited as its own service was not breached and only one account, belonging to one Sitel support engineer, was used.

“We take our responsibility to protect and secure customer information very seriously,” Bradbury said in a blog post. “Our sincere apologies for the inconvenience and uncertainty this has caused.”

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

This post Will Okta Get Its Credit Back After Lapsus$ Breach? We will see

was original published at “https://venturebeat.com/2022/03/24/will-okta-recover-its-cred-after-lapsus-breach-well-see/”